Authentication Service Delivery Made EASY™
LDAP Synchronization Agent
Configuration Guide
2
Copyright © 2013 SafeNet, Inc. All rights reserved.
All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.
SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.
Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.
Support
SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment.
SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs.
To contact SafeNet Authentication Service support directly:
Europe / EMEA North America
3 2013.07.18 Correct# the Environment table;
Update screenshots for SAS
4.1
2013.06.27 Minor text changes 4.0
2012.06.30 Update for SafeNet branding;
Remove CRYPTOCard / BlackShield branding
3.0
2011.05.09 Minor updates 2.0
4
Contents
Applicability... 5 Environment ... 6 Overview ... 6 Features ... 8Preparation and Prerequisites ... 9
Configuring the Agent ... 10
Sync Agent Configuration Tool ... 14
Status Tab... 14
LDAP Configuration Group ... 14
LDAP Sync Groups ... 14
Last Sync Status Group ... 14
Transaction Details Group ... 15
Configuration Tab ... 16
LDAP Configuration Group ... 17
LDAP Sync Group(s) ... 19
LDAP Schema Configuration ... 20
Other Synchronization Options... 20
Mobile Number Country Code ... 20
LDAP Scan Interval ... 20
SafeNet Authentication Service Synchronization Server ... 20
Re-initialize Source ... 21
Notification Tab ... 21
SMTP Configuration ... 21
E-Mail Test ... 21
Applicability 5
Applicability
The information in this document applies to: • SafeNet Authentication Service (SAS)
A cloud authentication service of SafeNet Inc.
• SafeNet Authentication Service – Service Provider Edition (SAS-SPE) The software used to build a SafeNet authentication service.
• SafeNet Authentication Service – Private Cloud Edition (SAS-PCE) A term used to describe the implementation of SAS-SPE on-premise.
Environment 6
Environment
Summary
Supported Platforms Windows XP SP 3
Windows 2003 R2 Server
Windows 2008 SP2 and Windows 2008 R2 Windows Vista SP2
Windows 7 Windows 8
Windows Server 2012
Supported Architecture 32-bit
64-bit
Additional Software Components Windows: .Net 2.0
Network Port TCP Port 8456
TCP Port 389
TCP Port 636 (optional) Support LDAP Directory Servers Active Directory
Sun One 6.x
Novell eDirectory 8.x
LDAP Directory Server Access Read-only
Supported LDAP Groups Single LDAP Group
Multiple LDAP Groups
Overview
Overview 7 1. Organization imports their agent key file into the LDAP Synchronization Agent, configures a
connection to their LDAP Directory Server then selects one or more LDAP groups.
2. The LDAP Synchronization Agent queries the LDAP Directory server for all users within the selected LDAP Group(s).
3. For each member of the group: The first name, last name, username, email address, address, phone, mobile and all LDAP groups are transmitted and stored in the LDAP Synchronization Agent.
4. The LDAP Synchronization Agent pushes all user and group information to the SafeNet Authentication Service which in turn creates each user and group in the Virtual Server. 5. The LDAP Synchronization Agent queries the LDAP Directory server every 30 minutes (default
synchronization period) and compares user and LDAP group information stored within its persistent cache.
Features 8
Features
Most organizations maintain information about their users in an LDAP directory such as Active Directory. The purpose of the Synchronization Agent is to auto-populate SafeNet Authentication Service with users maintained in one of these user sources.
Key features of the agent are:
• Can be used with almost any LDAP Directory Server. • Can accommodate custom schemas.
• Does not write to the user source.
• Does not require an administrator account to connect to the user source. • Can synchronize multiple user sources (e.g. multiple LDAPs).
• Uses AES encryption between the LDAP Synchronization Agent and the SafeNet Authentication Service.
Preparation and Prerequisites 9
Preparation and Prerequisites
1. From the COMMS tab of your virtual server, select Authentication Processing > LDAP Sync Agent Settings.
2. Click the Download button to download the Synchronization Agent Key File
(BSIDSyncConfigFile.bmc). This file will be required during configuration of the LDAP Sync Agent.
3. Download the LDAP Sync Agent installation package. A link to the Agents and other software can be found on the Snapshot Tab in the References Module.
Configuring the Agent 10 4. The following information will be required to complete the configuration of the agent after
installation:
• The IP address/host name and port number of your LDAP Directory Server.
• An account name and password that can be used by the LDAP Synchronization Agent to connect to the LDAP Directory Server. This account password should be set to never expire to ensure the Agent is always able to connect to LDAP. The user account does not need write capability as the agent only reads from the directory.
• TCP Port 389 or 636 open between the LDAP Synchronization Agent and the LDAP Directory Server.
• TCP Port 8456 open between the LDAP Synchronization Agent and SafeNet Authentication Service.
5. Install the agent using the instructions provided by the installer. All configuration is performed post installation.
Configuring the Agent
From an Administrator account, launch the Agent from Start > SafeNet > Agents > SAS Sync Agent. Use “Run as administrator” if necessary.
In the Current Organization section, click the Add button. Browse to the location of the
BSIDSyncConfigFile.bmc and load the file.
Configuring the Agent 11 In the LDAP Configuration section click the Configure
button.
Enter the host name or IP address and port number of the LDAP Directory server. Select SSL if you have a certificate installed on the server.
If you have one or more failover LDAP directory servers that the agent should connect to in the event that the primary cannot be reached, indicate this by selecting a corresponding number from the Number of Failover hosts dropdown.
Click Next to continue.
Select a schema from the dropdown list. Possible default values are Active Directory, eDirectory, SunOne directory
Enter a User DN and password created for the agent. The User DN contains the username (and location of the user within LDAP) that will be used by the agent to connect to the LDAP Directory Server. If using Active Directory, this value should be entered in an email format.
Example:
The BaseDN in the figure is dc=ts, DC=cryptocard, DC=com. So the user should be defined as username@ts.cryptocard.com.
Configuring the Agent 12 The agent will automatically find all containers with
users, starting from the BaseDN. You can exclude containers or add containers by checking the manually edit option.
The next step is to configure the LDAP group
memberships which are used to determine which
users are synchronized. In other words, containers determine where to look for users while group membership determines which users in a container will be synchronized.
Use the arrow buttons to add or remove highlighted Available Groups to/from Synchronized Groups. Click Configure in the Other Synchronization Options group.
If required, modify the LDAP Scan Interval.
Select the Notification Tab. In SMTP Configuration select Configure.
Enter a from Email address, the Hostname/IP
address of the SMTP server, port number and if
required, the user name and password credentials to log onto the SMTP server.
Configuring the Agent 13 Enter one or more valid email addresses to the
recipient email list and set the event.
Sync Agent Configuration Tool 14
Sync Agent Configuration Tool
The SAS Sync Agent configuration tool allows for the modification of various features available within the agent.
Status Tab
The Status tab deals primarily with supplying information on LDAP Sync Groups and their transaction details.
LDAP Configuration Group
• LDAP Connection Status
Displays the current connection status between the agent and the LDAP Directory server. • LDAP Configuration info
Displays the connection information for the LDAP Server. This dialog does not display any password information.
LDAP Sync Groups
Lists all LDAP Groups configured to synchronize against the SafeNet Authentication Service.
Last Sync Status Group
• Last Sync Time
Sync Agent Configuration Tool 15 Displays the amount of time required to scan all groups to retrieve user information.
• # of Unique Objects
Displays the amount of LDAP objects discovered during the last scheduled scan. • # of Differences
Displays the amount of LDAP objects differences between the local persistent cache and the LDAP Directory server during the last scheduled scan.
• Sent Transactions
Displays the amount of updates sent to the SafeNet Authentication Service. • Total Users Sync’d
Displays the amount of users currently synchronized with the SafeNet Authentication Service.
Transaction Details Group
• Transaction ID
Displays the number of the current transaction record. • Status
Displays the status of the transaction. • Scan Started
Displays the start date and time of an LDAP Directory server scan. • Scan Ended
Displays the end date and time of an LDAP Directory server scan. • Sent to MAS
Displays the date and time the transaction was delivered to SafeNet Authentication Service. • Updated Objects
Displays the amount of new users and/or groups discovered during the last scheduled scan. • Total Differences
The amount of differences discovered within users and/or groups. • Refresh
Amount of time before transaction details will be updated. • Save As
Sync Agent Configuration Tool 16 • Clear
Permanently deletes all transaction details.
Configuration Tab
Sync Agent Configuration Tool 17
LDAP Configuration Group
This section is used to configure the connection between the agent and the LDAP Directory server.
• Host name or IP
Specifies the location of the LDAP server. • Port
By default TCP port 389 is used. If required, the Active Directory Global Catalog (TCP port 3268) may be used.
• Use SSL
If the LDAP server has been configured to use a certificate this option may be select. If the option is selected change the Port value to 636.
• Number of Failover
Sync Agent Configuration Tool 18
LDAP Schema
Includes default LDAP schema support for Active Directory (2003/2008), eDirectory 8.x and Sun One 6.x.
Additional schemas may appear if configured under LDAP Schema Configuration.
LDAP Credentials
• User DNIf using Active Directory, the value should be entered in an email format.
Example: The BaseDN in the figure is dc=ts, DC=cryptocard, DC=com. So username “ccldap” could be defined in UserDN as ccldap@ts.cryptocard.com.
If using another LDAP Server the User DN may be more complicated, for example: uid=ccldap, ou=Users, dc=ts, dc=cryptocard, dc=com
• Base DN:
Specifies the top level of the LDAP Server. • Append Base DN
This will add the Base DN to the information defined in User DN.
Example: If I specified a User DN of uid=ccldap and selected Append Base DN the following would be submitted to the LDAP Server when connecting
uid=ccldap, dc=ts, dc=cryptocard, dc=com • Password
Sync Agent Configuration Tool 19 Allows for manually editing the location where
users can be found.
LDAP Sync Group(s)
LDAP groups may be selected from Available Groups and placed into Synchronized Group(s). If the group is not visible, enter the name of the group in the Available Groups field.
Synchronization will not take place if Synchronized Group(s) contains no groups.
Sync Agent Configuration Tool 20
LDAP Schema Configuration
The schema management dialog allows for the creation of a custom schema. This can be used to view LDAP objects which are not visible by default within the LDAP Synchronization agent.
Other Synchronization Options
Mobile Number Country Code
COUNTRY CODE TO PREPEND
The agent automatically strips all non-numeric characters from the data in the “Cell Number” mapping (refer to point 7 above). In addition, if a numeric value is entered into this field, the agent will prepend this value to the “Cell Number” mapping under the following conditions:
• If the Cell Number has 00 as the leading digits, the agent will remove the leading 00. Example: 0041-77889991111 becomes 4177889991111
• If the Cell Number has 0 as the leading digit, the agent will strip the 0 and prepend the country code. Example using 31 as prepend country code: 0778-89991111 becomes 3177889991111
• If the Cell Number leading digit is 1 through 9, the agent will prepend the country code. Example using 31 as prepend country code: 778-89991111 becomes 3177889991111
LDAP Scan Interval
This value determines how frequently the agent will scan LDAP for changes. Only if changes are detected will the agent synchronize with the authentication server. The default value is 20 minutes.
SafeNet Authentication Service Synchronization Server
Sync Agent Configuration Tool 21
Re-initialize Source
Clears the local persistent user and group cache used by the LDAP Synchronization agent (this does not affect users and groups on SafeNet Authentication Service). The next scheduled scan will create a new set of cached data.
Notification Tab
The Notification tab deals primarily with SMTP Server configuration and alert messages.
SMTP Configuration
• Configure SMTP Settings
Enter a from Email address, the Hostname/IP address of the SMTP server, port number. If required, the user name and password credentials to log onto the SMTP server may be entered.
E-Mail Test
• Enter Email Address
Sync Agent Configuration Tool 22
E-Mail Message Templates
The agent can send notification if it is unable to connect to LDAP or connect to SafeNet Authentication Service.
Event Recipient Lists
• List Name
Display name for the event. • Recipient E-Mail
Enter a valid email address then select Add. • Recipient E-Mail List
Displays a list of all email addresses to notify. • Events